Sealing data with TPM on VxWorks
By Ka Kay Achacoso
VxWorks support for data protection makes use of the Trusted Platform Module (TPM), a secure cryptoprocessor used to establish root of trust in security systems. TPMs can be used in several security processes, including local attestation and remote attestation. This blog entry focuses on a different aspect: using a TPM as a root of trust for storage and how VxWorks uses the TPM to secure data at rest.
Let’s say I have some top secret data stored as a set of bytes on a VxWorks device. I don’t want any unauthorized persons to be able to read it. If someone manages to copy the file from the device’s storage, or tries to hack into the VxWorks device to access the data in storage, I don’t want them to be able to read the data. In other words, I want to seal the data from unauthorized access. See Figure 1.
Figure 1 – The top secret data file in a VxWorks device.
To keep the top secret data from unauthorized eyes, I encrypt the data. TPMs, however, were not designed for encrypting long data streams . For large amounts of data, VxWorks includes OpenSSL, which is capable of AES encryption using a 256-bit key. TPM hardware includes a random number generator that can generate cryptographically secure unique 256-bit keys. I can use OpenSSL and a unique 256-bit key generated by the TPM to encrypt my top secret data. Now I have two pieces of data: my encrypted top secret data, and my 256-bit AES key needed to decrypt my top secret data. See Figure 2.
Figure 2 – Encrypt the secret data using OpenSSL with a 256-bit AES key.
Wrapped Keys Hierarchy
The encrypted top secret data is as secure as my AES key. Whoever has my AES key can read the top secret data. To protect my AES key, I hide it in another encrypted file. To do this, I encrypt my AES key with a second key. In trusted computing terminology, I have “wrapped” my AES key with another key. Now I’m holding 3 pieces of data: my encrypted top secret data, my wrapped AES key, and my key to unwrap the AES key. See Figure 3.
Figure 3 – Wrap the 256-bit AES key with another key.
Now the top secret data is as secure as my key to the AES key. I hide the key to the key to the top secret data by wrapping it, too. I could go on forever, wrapping my latest key in another key, and wrapping *that* key in yet another key, and wrapping *that* key in yet another key…
You can see that ultimately, the top secret data is only as secure as the very last key, which is my root key. To take advantage of the TPM, I can conceal the root end of the chain of wrapped keys inside the TPM hardware. Here is how this works.
Let’s unwind to the scenario in Figure 2. I have the top secret data, and I have a 256-bit AES key. I want to wrap my 256-bit AES key to hide it. The TPM sets up an RSA key pair and uses the public key to wrap the AES key. The result is a wrapped AES key that was encrypted by an RSA public key inside the TPM. To unwrap the AES key, I need the private key inside the TPM. See Figure 4.
Figure 4 – Wrapping my 256-bit AES key with an RSA key managed by the TPM.
However, the TPM will not give me the private part of the RSA key pair. Instead, the TPM gives me the RSA keys wrapped by a root key in the TPM. The wrapped RSA key pair appears in the form of a series of bytes. This series of bytes representing the wrapped RSA key pair is called a TPM key blob. When the VxWorks device shuts down, the RSA key pair is wiped out from the TPM. So I have to save the TPM key blob somewhere, and the key blob can only be unlocked with the root key inside the TPM. See Figure 5.
Figure 5 – TPM wrapping the RSA key-pair with the Storage Root Key (SRK), which can never leave the TPM.
The root key inside the TPM is a special key called the Storage Root Key (SRK). It is one of the few keys persistent in the TPM, and remains there even after a power cycle. It is known only to that one TPM, and cannot be pulled out of the TPM. The TPM can use the SRK to wrap and unwrap keys, but its private key cannot be read.
In the entire chain of wrapped keys, the root key is the SRK stuck forever inside the TPM. By using the SRK as my root key, I can establish a root of trust for storage inside the TPM.
I have the encrypted top secret data, a wrapped AES key, and an RSA key blob. The RSA key in the key blob is wrapped using the SRK known only to TPM. To decrypt my top secret data, I load the RSA key blob into the TPM so that the TPM can unwrap it using the SRK. Then I pass the wrapped AES key to the TPM so that the TPM can unwrap it using the RSA key. Then I use OpenSSL software cryptography to decrypt my top secret file. This is just working backwards from right to left in Figure 5.
Using system state and password to secure data
Moreover, the unwrapping of keys can only succeed when the state of the system at the time of key unwrapping matches the state of the system at the time of key wrapping. The TPM contains a special set of registers called Platform Configuration Registers (PCR). The full explanation of PCRs is outside the scope of this blog entry, but a simplistic explanation is that the values of the PCR are unique to the software that’s running on the system and cannot be replicated. If an intruder runs a different set of software to get at my wrapped keys, the key unwrapping fails.
Figure 6 – RSA keys are wrapped with SRK, and protected by SRK password and PCRs which are impossible to replicate.
The SRK is protected by an SRK password. Only users who know the SRK password can unwrap the next key in the chain. See Figure 6.
To summarize, my top secret data can only be read if all of the following conditions are met:
- The wrapped AES key, the wrapped RSA key-pair, and the encrypted data file are available
- The original TPM hardware is used for decryption. (Someone can’t move my encrypted top secret data and wrapped keys onto a different device to unwrap keys and read the data.)
- The VxWorks device is running the known intended set of software modules. (Someone can’t boot up my device into a different operating system and use the TPM to unwrap keys that way.)
- The user starting the chain of key unwrapping must know the SRK password.
TrouSerS on VxWorks
TrouSerS (http://trousers.sourceforge.net/) is an open-source software stack designed by the Trusted Computing Group that provides APIs for interacting with TPM hardware. This stack has been integrated into VxWorks to enable applications to make use of the TPM. In addition to the basic TrouSerS implementation, the TrouSerS TPM-Tools module is also included.
The TPM-Tools module contains simple commands that are easy to control the TPM from the VxWorks C-shell. The process of sealing (encrypting) a file consists of several calls to OpenSSL and to the TPM. TPM-Tools module wraps up all those steps into a single method called tpm_sealdata(). The input to the method is the data file to be encrypted, the list of PCRs to be locked, and the SRK password. The output is a single encrypted file that contains three sections: the encrypted data, the wrapped AES key, and the wrapped RSA key blob from the TPM. This file can be stored in a file system. When it’s time to unseal (decrypt) the file, TPM-Tools provides the tpm_unsealdata() method, which parses the encrypted file for the three sections, then uses the TPM to unwrap the keys, and uses OpenSSL to decrypt the data.
Variations on File Sealing
The file sealing process described in this blog follows the tpm_sealdata() execution, and provides one example of the file sealing operation. You can adapt the operation to suit your own needs. For example, you can extend the key-wrapping chain to more keys and store the wrapped keys in different storage areas. You can enter a different password for each key blob. You can change the encryption algorithm for the top secret data.
TPM has options for defining a root key that can be moved to a different TPM so that you are not locked to one specific piece of hardware. You can investigate the TPM Migratable Root Key for more information.
When working with data sealing, you should also understand cases when you permanently lose your root keys. In those cases, your data remains sealed forever, even from you. For example, most systems allow your TPM to be cleared, which deletes the SRK permanently. Without the SRK, there is no way to unwrap keys and unseal the data. If your system state is compromised, and you can no longer run the same software that was running at the time of key wrapping, then your original PCR values will not match the values needed to unwrap the keys.
The VxWorks team is dedicated to providing security solutions for embedded devices. Data protection with TPM support is one of many security solutions on the VxWorks platform. Check out http://www.windriver.com/products/vxworks/technology-profiles/#security for more security solutions.